Links

Saturday, March 1, 2008

more on user training vs. technical solutions

I did a post about a post on Rational Surviability:http://rationalsecurity.typepad.com/blog/2008/02/mcgoverns-ten-m.html

I left the comment below and got the response underneath it. Figured I'd address it on here first then cut and paste over there...

---

My comment:

what is the fix to your #4? You can only stick so many technical barriers in place to prevent your users from opening and clicking on emails they shouldnt. why does it seem like the whole industry is saying that users cannot be trained?

If you are running an operating system/mail client environment that is susceptible to attacks launched by users clicking on attachments -- which they have done without letup since there have been attachments to click on and GUI mail clients that permit them to click, and which they will continue to do no matter what you or I or anyone else ever tells them -- then your software environment is broken. Fix it.

**I guess i'm ignorant, what magical OS and mail system do you propose that allows the functionality that most people have come to expect from a Windows environment?

Part of that fix, if you're not willing to upgrade to superior operating system/mail client software that is immune to this rudimentary problem, might consist of configuring your mail servers to disallow all attachments by default and only permit those for which there is a business need.

**how do I determine for a large organization what is a business need for each individual? what happens when i guess incorrectly? how doest that scale? realistically how do you propose that is done? again in a Windows environment how do you suddenly say you cant email your powerpoint, excel, and word or pdf documents? or do I allow those even though i can trojanize those?

This is by no means a panacea -- fixing/replacing the broken software is clearly a far better idea -- but it can at least partially mitigate the problem, and it's certainly much better than permitting all attachment types by default.

**what if the malware comes through in normal MS office documents?? do i strip all of those out by default?

As to educating users, it's one of the dumbest ideas in security. As Marcus Ranum has famously pointed out, if it was going to work...it would have worked by now. If you are relying on user education as part of your strategy, you are doomed. See "The Six Dumbest Ideas in Security" for a fine explanation of this.

**I don't know Marcus, but some of that list is pure garbage, especially #4. But back to #5, are you proposing i wait for the next generation of people who are going to magically become better educated without any training to come and fill those seats of user's now? that's just fucking stupid. If users can never be fixed"if it was going to work, it would have worked by now" then why havent we developed a technical solution that works yet? Oh yes, its because the code is broken too, and the fix for that is writing secure code from the start...i'm still waiting for my "securely coded" application to replace everything else that is already in place.

"A better idea might be to simply quarantine all attachments as they come into the enterprise, delete all the executables outright, and store the few file types you decide are acceptable on a staging server..."

and what if the malware comes in via files I allow? what now? A good example would have been the adobe mailto exploit that just came out (now patched). how would your solution have stood up to that? I shouldnt allow pdf's in?

what about when i am stripping out attachments from the CEO or some other high level person that doesnt care about security who just needs to get work done. I guess if you have a network of computer literate people those types of solutions become viable. for the rest of us not working in fantasy land, those suggestions are just crap.